In the Adyen Customer Area, navigate to Developers > Webhooks and create a Standard Notification webhook pointing to your HTTPS endpoint; generate and copy the HMAC key
Store the HMAC key securely (e.g., in a secrets manager); Adyen signs each notification with HMAC-SHA256 using this key and includes the signature in the additionalData.hmacSignature field
On your endpoint, extract the hmacSignature from the notification's additionalData and compute the HMAC-SHA256 of the canonicalised notification fields using your stored HMAC key
Compare your computed signature to the received hmacSignature using a constant-time comparison to prevent timing attacks; reject notifications where they do not match
Return a plain-text HTTP 200 response with body [accepted] to acknowledge receipt; Adyen retries notifications that do not receive this acknowledgement within the timeout window
Known gotchas
The HMAC is computed over a specific canonical string of selected notification fields in a defined order; using the wrong field order or including extra fields will produce a signature mismatch even if the key is correct — refer to Adyen's HMAC calculation documentation for the exact field list and order
If your endpoint takes more than a few seconds to process the notification, Adyen may consider it timed out and retry; accept and enqueue the notification quickly, then process it asynchronously
Adyen can send multiple notification items in a single HTTP POST in the items array; validate and acknowledge each item individually rather than assuming a single item per request
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp